Summary and recommendation
Zscaler supports full SCIM 2.0 provisioning (create, update, deactivate users, and group management), but only on Enterprise plans starting at $25,000-250,000+/year. Teams on the basic Starter plan ($2.40/user/month) have no automated provisioning options beyond manual SAML JIT, creating a massive functionality gap for mid-market organizations that need cloud security for all employees but can't justify six-figure enterprise licensing.
The pricing jump is particularly problematic for Zscaler because it's a security platform that requires org-wide deployment - every employee needs access for web security policies to be effective. Without SCIM, IT teams face manual account management for potentially hundreds of users, creating security gaps when employees join or leave. The platform's hybrid SCIM implementation (SAML for create/update, API for delete with Okta) and 40-minute sync delays with Azure AD add operational complexity that smaller IT teams struggle to manage reliably.
The strategic alternative
Zscaler gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Zscaler accounts manually. Here's what that costs:
The Zscaler pricing problem
Zscaler gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | $2.40/user/month | ||
| Business | $8-12/user/month | ||
| Enterprise | $25,000-250,000+/year |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Starter | $2.40/user/month | ❌ |
| Business | $8-12/user/month | ❌ |
| Enterprise | $25,000-250,000+/year | ✓ |
Note: Enterprise pricing is custom and varies widely based on organization size, features, and contract terms. SCIM 2.0 is only available at the Enterprise level.
What this means in practice
Since Zscaler is typically deployed organization-wide for web security, the Enterprise requirement affects your entire user base:
| Organization Size | Estimated Enterprise Premium | Annual Impact |
|---|---|---|
| 500 users | $25,000+ base | $25,000+ |
| 1,000 users | $50,000+ base | $50,000+ |
| 2,500 users | $125,000+ base | $125,000+ |
These figures represent minimum Enterprise package costs - actual pricing often scales significantly higher based on usage, advanced features, and security requirements.
Additional constraints
Summary of challenges
- Zscaler supports SCIM but only at Enterprise tier ($25,000-250,000+/year)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Zscaler doesn't sell SCIM à la carte. It's bundled with Enterprise features that most organizations won't fully utilize:
The pricing jump from Starter ($2.40/user/month) to Enterprise represents a 10x+ cost increase that's primarily justified by advanced security features, not provisioning capabilities.
Stitchflow Insight
The Enterprise package costs $25,000-250,000+ annually depending on user count and features. If you just need automated provisioning for web security access, you're paying for an extensive security platform that may exceed your requirements. We estimate ~60% of Enterprise features are overkill for organizations that simply want to automate user lifecycle management for basic web filtering and security.
What IT admins are saying
Community sentiment on Zscaler's SCIM implementation reveals mixed feelings about both pricing and technical limitations. Common complaints:
- Enterprise tier requirement creates a massive cost barrier for smaller organizations
- Azure AD sync delays of 40 minutes frustrate admins needing real-time updates
- Confusing hybrid approach where Okta uses SAML for creates/updates but SCIM API for deletions
- Having to disable SAML auto-provisioning when implementing SCIM adds setup complexity
The pricing jump to Enterprise just for SCIM feels like they're holding basic identity management hostage. We're talking $25K minimum when competitors include this in much lower tiers.
That 40-minute sync delay with Azure AD is painful when you need to quickly provision new hires or deprovision terminated employees. Real-time security access shouldn't wait for a sync window.
The recurring theme
Zscaler's SCIM works well technically but the Enterprise pricing barrier and sync delays create operational friction that smaller organizations struggle to justify.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not on Enterprise tier | Use Stitchflow: avoid the $25K+ minimum Enterprise upgrade |
| On Starter/Basic plan, growing user base | Use Stitchflow: get SCIM without jumping to Enterprise pricing |
| Already on Enterprise tier | Use native SCIM: you're paying for it already |
| Limited to Okta/Azure AD, need full SCIM | Use native SCIM: well-supported IdP integrations |
| Using Google Workspace or OneLogin | Use Stitchflow: native SCIM doesn't support these IdPs |
| Small security team, infrequent changes | Manual may work short-term: but cloud security requires org-wide coverage |
The bottom line
Zscaler gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make Zscaler workflows AI-native
Zscaler gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Azure AD SCIM sync every 40 minutes
- SAML auto-provisioning should be disabled when using SCIM
- Okta provisioning uses SAML for create/update, API for delete only
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Use Zscaler 2.0 OIN integration. Create/update via SAML, delete via SCIM API. SAML auto-provisioning should be disabled when using SCIM.
Zscaler gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM provisioning available. SCIM API requires Enterprise package. Sync every 40 minutes.
Zscaler gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Zscaler
Zscaler gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
